#!/bin/bash

sudo sed -i 's/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config;


sudo sed -i 's/^KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/g' /etc/ssh/sshd_config;

if [[ `cat /etc/pam.d/sshd|grep '/etc/security/access-localhost.conf'` ]]; then
    echo "skip config access-localhost.conf";
else


    sudo sh -c "echo 'auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-localhost.conf' >>/etc/pam.d/sshd"
    sudo sh -c "echo 'auth required pam_google_authenticator.so no_increment_hotp'  >>/etc/pam.d/sshd"


    sudo sh -c "echo '+ : ALL : ALL' >> /etc/security/access-localhost.conf"
    sudo sh -c "echo '+ : ALL : LOCAL' >> /etc/security/access-localhost.conf"

    sudo sh -c "echo '#- : ALL : ALL' >> /etc/security/access-localhost.conf"

fi;



sudo systemctl restart ssh;

echo "please config /etc/security/access-localhost.conf !!!"
